Fix Socket.IO TLS context for pinned certificates

This commit is contained in:
2025-10-18 05:31:12 -06:00
parent 3a71cc4c42
commit 45ac0dc7a4

View File

@@ -931,8 +931,15 @@ class AgentHttpClient:
context = None
if isinstance(verify, str) and os.path.isfile(verify):
try:
context = ssl.create_default_context(cafile=verify)
# ``create_default_context`` expects a proper CA bundle and
# will reject self-signed leaf certificates that we pin on
# disk. Build a dedicated client context instead and load
# the pinned certificate as a trust anchor so the SYSTEM
# agent can complete TLS handshakes identical to Requests.
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.check_hostname = False
context.verify_mode = ssl.CERT_REQUIRED
context.load_verify_locations(cafile=verify)
_log_agent(
f"SocketIO TLS alignment created SSLContext from cafile={verify}",
fname="agent.log",